Delegating a scope of permission between pairwise DIDs. First, a computing system determines a relationship between the first DID and a second DID. The first DID and the second DID are pairwise DIDs. Based on the relationship, the computing system delegates a scope of permission owned by the first DID to the second DID. In particular, the computing system defines the scope of permission, grants a public key of the second DID the scope of the permission. The delegation of the defined scope of permission is signed by a private key of the first DID, such that the signature is a proof of the delegation. A portion of data related to the delegation is then propagated onto the distributed ledger.
Legal claims defining the scope of protection. Each claim is shown in both the original legal language and a plain English translation.
1. A computing system comprising: one or more processors; and one or more computer-readable media having thereon computer-executable instructions that are structured such that, when executed by the one or more processors, cause the computing system to perform the following: determine a relationship between a first decentralized identifier (DID) owner of a first DID and a second DID owner of a second DID, the first DID and the second DID being pairwise DIDs; and based on the relationship, delegate a scope of permission owned by the first DID to the second DID, comprising: define the scope of permission; grant a public key of the second DID the defined scope of permission; generate a signature by a private key of the first DID, proving the delegation of the defined scope of permission to the public key of the second DID; and propagate a portion of data related to the delegation onto a distributed ledger.
The invention relates to a computing system for managing decentralized identity (DID) permissions in a decentralized identity framework. The system addresses the challenge of securely delegating permissions between DID owners while maintaining trust and verifiability in a distributed environment. Decentralized identifiers (DIDs) are unique identifiers that enable entities to control their digital identities without relying on centralized authorities. However, delegating permissions between DID owners in a secure and verifiable manner presents technical challenges, particularly in ensuring that the delegation is properly authorized and recorded. The computing system includes one or more processors and computer-readable media with executable instructions. The system determines a relationship between a first DID owner and a second DID owner, where both DIDs are pairwise DIDs, meaning they are uniquely associated with their respective owners. Based on this relationship, the system delegates a defined scope of permission from the first DID to the second DID. This involves defining the scope of permission, granting the second DID's public key the specified permission, and generating a signature using the first DID's private key to prove the delegation. The system then propagates a portion of the delegation data onto a distributed ledger, such as a blockchain, to ensure transparency and immutability. This approach enables secure and verifiable permission delegation in decentralized identity systems.
2. The computing system of claim 1 , the computing system further caused to: map a plurality of relationships to a plurality of scope of permissions; record the mapped data in a storage that is accessible to the computing system; and based on the mapped data, determine the scope of permission corresponding to the relationship between the first DID owner and the second DID owner.
This invention relates to computing systems that manage permissions and relationships between decentralized identifiers (DIDs). The problem addressed is the need for a structured and scalable way to define, store, and retrieve permission scopes based on relationships between DID owners in a decentralized identity framework. The system maps multiple relationships to corresponding permission scopes, stores this mapping in an accessible storage, and dynamically determines the appropriate permission scope for a given relationship between two DID owners. This allows for fine-grained access control in decentralized identity systems, ensuring that permissions are contextually relevant to the relationship between parties. The system enhances security and interoperability by providing a clear, auditable mechanism for permission management in decentralized environments. The stored mappings enable efficient permission resolution, reducing computational overhead while maintaining flexibility in defining relationship-based access rules. This approach is particularly useful in scenarios where identity verification and authorization must be decentralized yet secure, such as in blockchain-based identity systems or federated identity networks.
3. The computing system of claim 2 , wherein the mapping the plurality of relationships to the plurality of scopes of permission is based on at least one of the following: (1) data recorded in DID document(s), (2) data propagated onto the distributed ledger, or (3) user input(s).
This technical summary describes a computing system that manages permissions and relationships in a decentralized identity framework. The system addresses the challenge of securely and flexibly controlling access to digital resources by mapping relationships between entities to specific scopes of permission. The mapping process can be based on three distinct sources: data recorded in decentralized identifier (DID) documents, data propagated onto a distributed ledger, or direct user inputs. DID documents store identity-related information and permissions in a decentralized manner, while distributed ledgers provide a tamper-resistant record of transactions and relationships. User inputs allow for manual adjustments to permissions, ensuring adaptability. The system dynamically associates relationships with permission scopes, enabling fine-grained access control. This approach enhances security by leveraging decentralized identity standards and distributed ledger technology, while also accommodating user-defined configurations. The solution is particularly useful in environments requiring scalable, trustless permission management, such as blockchain-based applications, decentralized authentication systems, and peer-to-peer networks. By integrating multiple sources of permission data, the system ensures robust and flexible access control mechanisms.
4. The computing system of claim 2 , wherein the plurality of relationships includes at least one of the following (1) a child-parent relationship, (2) a spousal relationship, (3) an employee-employer relationship, (4) customer-service relationship, or (5) a contract relationship.
This invention relates to a computing system designed to manage and analyze complex relational data between entities, such as individuals or organizations. The system addresses the challenge of efficiently organizing and querying interconnected data where relationships between entities are diverse and multifaceted. The system includes a data processing module that identifies and categorizes relationships between entities, enabling structured analysis of these connections. The relationships may include hierarchical structures like child-parent relationships, social or legal bonds such as spousal relationships, professional connections like employee-employer relationships, commercial interactions like customer-service relationships, or contractual agreements. The system further includes a query engine that allows users to search and retrieve data based on these relationships, facilitating tasks such as family history analysis, organizational hierarchy mapping, or contract management. The invention enhances data organization by standardizing relationship types, improving accuracy in relational queries, and supporting automated decision-making processes that rely on these connections. The system is particularly useful in applications requiring deep relational insights, such as social networks, enterprise management, or legal compliance tracking.
5. The computing system of claim 2 , the computing system further caused to: in response to a request from the second DID owner of the second DID for access to a scope of permission, determine whether a particular relationship still exists; and in response to a determination that the particular relationship no longer exists, revoke the delegation of the corresponding scope of permission and propagate a portion of data related to the revocation of permission to the distributed ledger.
This invention relates to decentralized identity (DID) management systems, specifically addressing the challenge of dynamically managing permission delegation and revocation in distributed ledger environments. The system monitors relationships between DID owners and automatically revokes permissions when those relationships terminate, ensuring data integrity and security. The computing system operates within a decentralized identity framework where multiple DID owners interact. It tracks relationships between a first DID owner and a second DID owner, where the first DID owner has delegated specific permissions to the second DID owner. These permissions are scoped, meaning they apply only to certain data or actions. When the second DID owner requests access to a delegated permission, the system checks whether the underlying relationship still exists. If the relationship has ended, the system revokes the corresponding permission scope. The revocation is then recorded on a distributed ledger, ensuring transparency and immutability. The system propagates relevant data about the revocation to the ledger, allowing all participants to verify the change. This approach automates permission management, reducing manual oversight while maintaining security. It is particularly useful in environments where relationships between entities are dynamic, such as business partnerships or access control systems. The system ensures that permissions are only valid as long as the relationship exists, preventing unauthorized access after termination.
6. The computing system of claim 2 , the computing system further caused to: periodically check whether a particular relationship still exists; and in response to a determination that the particular relationship no longer exists, revoke the delegation of the corresponding scope of permission and propagate data related to the revocation of permission to the distributed ledger.
This invention relates to computing systems that manage delegated permissions in a distributed ledger environment. The problem addressed is ensuring that delegated permissions remain valid only as long as the underlying relationship justifying those permissions exists, with automatic revocation and ledger updates when the relationship terminates. The computing system monitors delegated permissions granted to users or entities based on specific relationships, such as employment, contractual agreements, or other contextual factors. It periodically verifies whether these relationships still hold. If a relationship is found to no longer exist, the system automatically revokes the corresponding permissions and records this revocation in a distributed ledger. The ledger update ensures transparency and immutability of permission changes across the system. The system also includes mechanisms to propagate revocation data to the distributed ledger, ensuring all nodes in the network are synchronized with the latest permission state. This approach prevents unauthorized access when relationships terminate, maintaining security and compliance in decentralized environments. The invention is particularly useful in blockchain-based systems, identity management platforms, or any permissioned access control framework requiring dynamic relationship-based authorization.
7. The computing system of claim 2 , the computing system further caused to: in response to receiving a user input that changes information related to the first DID or information related to the second DID, determine whether a particular relationship still exists; and in response to a determination that the particular relationship no longer exists, revoke the delegation of the corresponding scope of permission and propagate data related to the revocation of permission to the distributed ledger.
This invention relates to decentralized identity management systems, specifically addressing the dynamic handling of permissions and relationships between decentralized identifiers (DIDs) in a distributed ledger environment. The system monitors changes to DID-related information and automatically adjusts delegated permissions when relationships between DIDs are modified or terminated. When a user input alters information associated with a first DID or a second DID, the system evaluates whether a predefined relationship between the two DIDs still holds. If the relationship no longer exists, the system revokes the previously granted scope of permission and records this revocation on the distributed ledger, ensuring consistency and transparency across the network. This approach enhances security and trust by automatically enforcing permission changes in response to relationship status updates, reducing the risk of unauthorized access or outdated permissions persisting in the system. The system operates within a broader framework that includes DID management, permission delegation, and distributed ledger integration, ensuring that permission states remain synchronized with the current state of DID relationships.
8. The computing system of claim 3 , the computing system further caused to: receive a user input for generating, updating, or deleting a mapped pair of a particular scope of permission and a particular relationship, and based on the user input, update the recorded mapped data in the storage.
This invention relates to computing systems that manage permissions and relationships, particularly in environments where access control is dynamically adjusted based on user-defined mappings. The problem addressed is the need for flexible and granular permission management, where permissions are tied to specific relationships rather than fixed roles or attributes. The system records mapped data that associates scopes of permission with particular relationships, allowing for context-aware access control. When a user provides input to generate, update, or delete a mapped pair of a permission scope and a relationship, the system modifies the stored mappings accordingly. This enables dynamic adjustments to access rights without requiring static role definitions or rigid permission structures. The system ensures that permissions are consistently applied based on the current state of relationships, improving security and adaptability in environments where relationships frequently change. The invention is particularly useful in collaborative platforms, enterprise systems, or any application where access control must evolve with dynamic user interactions.
9. The computing system of claim 8 , the computing system further caused to: in response to the user input, update delegation(s) between pairwise DIDs that have a particular relationship that is affected by the user input.
A computing system manages decentralized identifiers (DIDs) and their relationships, addressing challenges in identity management and delegation control. The system enables users to modify delegation permissions between DIDs, ensuring secure and dynamic access control. When a user provides input to adjust a DID relationship, the system automatically updates delegations between affected DID pairs. This ensures that permissions remain consistent with the user's intended relationship changes. The system may also verify the validity of the user input before processing delegation updates, preventing unauthorized modifications. Additionally, the system can track delegation history and enforce policies to maintain compliance. This approach enhances security and flexibility in decentralized identity systems by automating delegation adjustments based on relationship changes.
10. The computing system of claim 1 , wherein: the defining the scope of permission includes defining one or more restrictions; and the propagating a portion of data related to the delegation includes propagating the one or more restrictions to the distributed ledger.
This invention relates to computing systems that manage data permissions and delegations in distributed ledger environments. The problem addressed is ensuring secure and controlled propagation of data permissions across decentralized systems, where unauthorized access or improper delegation can lead to security vulnerabilities. The system defines the scope of permission for data access, including setting one or more restrictions that limit how the data can be used or shared. These restrictions are then propagated to a distributed ledger, ensuring that permission rules are consistently enforced across the network. The distributed ledger acts as an immutable record, maintaining a transparent and tamper-proof log of permissions and their associated restrictions. The system also handles delegation of permissions, where access rights are transferred to another entity. When delegating permissions, a portion of the data related to the delegation is propagated to the distributed ledger, including the defined restrictions. This ensures that any subsequent access or further delegation adheres to the original constraints, preventing unauthorized modifications or expansions of access rights. By integrating permission management with distributed ledger technology, the system provides a robust framework for maintaining data security and compliance in decentralized environments. The use of restrictions ensures that permissions are not only granted but also properly controlled, reducing the risk of misuse.
11. The computing system of claim 10 , wherein the one or more restrictions includes an expiration time of the delegation.
A computing system manages delegated access to resources, addressing the challenge of securely granting temporary permissions without compromising system integrity. The system enforces restrictions on delegated access, including an expiration time, to ensure permissions are automatically revoked after a specified duration. This prevents unauthorized prolonged access and reduces administrative overhead by eliminating the need for manual revocation. The system may also apply additional restrictions, such as limiting the scope of delegated actions or specifying allowed resource types. By dynamically enforcing these constraints, the system enhances security while maintaining flexibility in access control. The delegation process involves verifying the delegator's authority, validating the delegatee's identity, and applying predefined policies to determine permissible actions. The expiration time restriction ensures that delegated permissions are time-bound, mitigating risks associated with long-term access grants. This approach is particularly useful in environments where temporary access is frequently required, such as collaborative projects or emergency response scenarios. The system may integrate with existing authentication and authorization frameworks to streamline the delegation workflow while maintaining compliance with security policies.
12. The computing system of claim 10 , wherein the one or more restrictions includes a restriction that restricts access to a portion of data or service for a predetermined number of times.
A computing system manages access to data or services by enforcing restrictions on user interactions. The system includes a processor and memory storing instructions that, when executed, control access based on predefined conditions. One such restriction limits access to a specific portion of data or service to a predetermined number of times. For example, a user may be allowed to access a particular file or feature only a fixed number of times before further access is blocked. This restriction can be applied to prevent excessive usage, enforce licensing terms, or manage resource allocation. The system may track usage counts and compare them against the predefined limit to determine whether to grant or deny access. Additional restrictions may include time-based limits, user role-based permissions, or geographic-based access controls. The system dynamically evaluates these restrictions to ensure compliance with access policies while maintaining secure and controlled access to resources. This approach helps organizations manage data and service usage efficiently while mitigating risks such as unauthorized access or resource exhaustion.
13. The computing system of claim 10 , wherein the one or more restrictions includes a restriction to access to a portion of data, the restriction includes at least one of the following: (1) a read permission, (2) a write permission, (3) a delete permission, or (4) a delegation permission.
A computing system manages access to data by enforcing restrictions on user permissions. The system controls access to specific portions of data, where restrictions may include read, write, delete, or delegation permissions. Read permissions determine whether a user can view the data. Write permissions control whether a user can modify the data. Delete permissions regulate whether a user can remove the data. Delegation permissions dictate whether a user can transfer or assign access rights to others. The system ensures that users can only perform actions on data portions for which they have the appropriate permissions, enhancing data security and access control. This approach prevents unauthorized modifications, deletions, or unauthorized sharing of data, addressing challenges in secure data management and access governance. The system may be part of a broader access control framework, where permissions are dynamically assigned or revoked based on user roles, policies, or contextual factors. The restrictions apply to individual data portions, allowing fine-grained control over data access within the system.
14. The computing system of claim 10 , wherein the one or more restrictions includes one or more conditions, the one or more conditions including at least one of the following: (1) requiring the second DID to pay a predetermined amount of cryptocurrency, (2) requiring the second DID to provide particular personal data, or (3) requiring the second DID to provide one or more verifiable claims, wherein the particular personal data includes at least one of the following: (1) an email address, (2) a phone number, (3) a location, (4) a name of the second DID owner, (5) an IP address, or (6) a device identifier.
This invention relates to computing systems that manage decentralized identifiers (DIDs) and enforce restrictions on interactions between DIDs. The problem addressed is ensuring secure and controlled access to services or resources by requiring specific conditions to be met before a second DID can interact with a first DID. The system imposes restrictions that include conditions such as financial payments, data provision, or verifiable claims. The conditions may require the second DID to pay a predetermined amount of cryptocurrency, provide specific personal data (e.g., email address, phone number, location, name, IP address, or device identifier), or submit verifiable claims. These restrictions enhance security and trust in decentralized identity systems by ensuring that only authorized or verified entities can engage in transactions or access resources. The system dynamically enforces these conditions, allowing for flexible and secure interactions in decentralized environments. The invention is particularly useful in blockchain-based identity management, where trust and verification are critical.
15. The computing system of claim 10 , the computing system further caused to perform the following: receive a request from a device of the second DID owner for accessing to a scope of permission; request for proof of delegation of the requested scope of permission; receive a proof code from the device of the second DID owner, the proof code configured to prove that the second DID has been delegated to the requested scope of permission; validate the proof code; and based on the validation of the proof code, grant or deny the request from the second DID.
This invention relates to decentralized identity (DID) systems, specifically addressing secure delegation and permission management in distributed digital identity frameworks. The system enables a first DID owner to delegate specific permissions to a second DID owner, allowing the second DID to access restricted resources or perform actions on behalf of the first DID. The challenge addressed is ensuring secure and verifiable delegation of permissions without relying on centralized authorities, which is critical for privacy and trust in decentralized identity systems. The computing system manages permission delegation by receiving a request from a second DID owner to access a specific scope of permission. Upon receiving the request, the system requests proof that the second DID has been delegated the requested permission scope. The second DID owner provides a proof code, which the system validates to confirm the delegation is legitimate. Based on the validation, the system either grants or denies the access request. This process ensures that only properly delegated DIDs can access restricted permissions, maintaining security and integrity in the decentralized identity framework. The system may also include mechanisms for the first DID owner to revoke or modify delegated permissions, further enhancing control and flexibility in permission management.
16. The computing system of claim 15 , wherein the proof code includes the signature signed by the private key of the first DID.
A computing system is described for managing decentralized identifiers (DIDs) and verifying digital signatures in a distributed ledger environment. The system addresses challenges in securely authenticating entities and ensuring the integrity of digital signatures in decentralized systems. The system includes a processor and memory storing instructions for generating and verifying proof codes associated with DIDs. A proof code is a cryptographic construct that binds a DID to a specific action or transaction, ensuring that the action is authorized by the DID holder. The proof code includes a digital signature created using the private key of a first DID, which can be verified using the corresponding public key. This signature ensures that the proof code was generated by the legitimate owner of the DID, preventing unauthorized modifications or forgeries. The system also supports the generation of proof codes for multiple DIDs, allowing cross-verification between different decentralized identities. The verification process involves checking the signature within the proof code against the public key associated with the DID, ensuring that the proof code is valid and has not been tampered with. This mechanism enhances security and trust in decentralized identity management by providing a verifiable link between actions and the entities performing them. The system is particularly useful in applications requiring secure authentication, such as blockchain-based identity verification, digital signatures, and decentralized access control.
17. The computing system of claim 15 , wherein the validating the proof code includes: decrypting the signature by a public key of the first DID; retrieving data related to the delegation from the distributed ledger; and analyzing the decrypted signature and the data related to the delegation to determine whether the proof code is valid.
This invention relates to computing systems that validate proof codes in decentralized identity (DID) frameworks, addressing challenges in securely verifying delegated authority. The system includes a computing device that receives a proof code from a first DID, where the proof code is generated by a second DID and includes a signature. The system validates the proof code by decrypting the signature using a public key of the first DID, retrieving delegation-related data from a distributed ledger, and analyzing the decrypted signature alongside the ledger data to confirm the proof code's validity. The delegation data may include permissions, expiration times, or other constraints. The system ensures that the second DID has legitimate authority to act on behalf of the first DID, preventing unauthorized actions. The distributed ledger provides a tamper-resistant record of delegation relationships, enhancing trust in the validation process. This approach is particularly useful in decentralized identity systems where entities must verify delegated permissions without relying on centralized authorities. The system may also include additional components for generating, transmitting, or storing proof codes and delegation data.
18. The computing system of claim 15 , wherein the validating the proof code further includes: verifying the requested scope of permission is within the delegated scope of permission; and when the scope of permission includes one or more conditions, determining whether the one or more conditions are satisfied.
This invention relates to computing systems that manage permission delegation and validation, particularly in scenarios where a delegated permission scope must be verified before granting access. The problem addressed is ensuring that a requested permission scope aligns with the originally delegated scope and that any associated conditions are met before access is granted. This is critical in systems where permissions are dynamically delegated, such as in cloud computing, distributed systems, or access control frameworks. The system includes a mechanism to validate a proof code associated with a permission request. The validation process involves checking whether the requested scope of permission falls within the delegated scope of permission. If the delegated scope includes one or more conditions, the system further determines whether those conditions are satisfied. This ensures that permissions are only granted when they are properly scoped and meet all necessary constraints. The system may also include components for generating, storing, and transmitting the proof code, as well as verifying the integrity and authenticity of the proof code to prevent unauthorized access. This approach enhances security by enforcing strict permission boundaries and condition checks, reducing the risk of over-privileged access or unauthorized actions. The system is particularly useful in environments where fine-grained access control is required, such as multi-tenant cloud platforms, enterprise applications, or decentralized systems.
19. A method implemented at a computing system for delegating a scope of permission owned by a first decentralized identifier (DID) to a second DID, the first DID and the second DID are pairwise DIDs, comprising: determining a relationship between the first DID and a second DID, the first DID and the second DID are pairwise DIDs; and based on the relationship, delegating a scope of permission owned by the first DID to the second DID, comprising: defining the scope of permission; granting a public key of the second DID the defined scope of permission; generating a signature by a private key of the first DID, proving the delegation of the defined scope of permission to the public key of the second DID; and propagating a portion of data related to the delegation onto a distributed ledger.
This invention relates to decentralized identity management, specifically a method for delegating permissions between decentralized identifiers (DIDs) in a secure and verifiable manner. The problem addressed is the need for a trustless system where one DID can grant specific permissions to another DID without relying on a centralized authority, ensuring secure and auditable delegation of access rights. The method involves determining a relationship between a first DID (the delegator) and a second DID (the delegatee), where both DIDs are pairwise, meaning they are independently controlled and not hierarchically linked. Based on this relationship, the first DID delegates a defined scope of permission to the second DID. The delegation process includes defining the specific permissions to be granted, associating those permissions with the second DID's public key, and generating a cryptographic signature using the first DID's private key to prove the delegation. Finally, the delegation details are recorded on a distributed ledger, ensuring transparency and immutability. This approach enables secure, verifiable delegation of permissions in decentralized systems, such as blockchain-based identity frameworks, where trust is established through cryptographic proofs rather than centralized intermediaries. The use of pairwise DIDs ensures that delegation is direct and does not require pre-existing hierarchical relationships.
20. A computer program product comprising one or more hardware storage devices having stored thereon computer-executable instructions that are structured such that, when executed by one or more processors of a computing system, the computer-executable instructions cause the computer system to perform at least: determine a relationship between a first decentralized identifier (DID) and a second DID, the first DID and the second DID are pairwise DIDs; and based on the relationship, delegate a particular scope of permission owned by the first DID to the second DID, comprising: defining the scope of permission; granting a public key of the second DID the defined scope of permission; generating a signature by a private key of the first DID, proving the delegation of the defined scope of permission to the public key of the second DID; and propagating a portion of data related to the delegation onto a distributed ledger.
This invention relates to decentralized identity management systems, specifically addressing the challenge of securely delegating permissions between decentralized identifiers (DIDs) in a verifiable and tamper-proof manner. The system enables a first DID to delegate a specific scope of permissions to a second DID, ensuring that the delegation is cryptographically verifiable and recorded on a distributed ledger for transparency. The process involves determining a relationship between two pairwise DIDs, where each DID represents a unique digital identity. The first DID defines the scope of permissions to be delegated, such as access to certain resources or actions. The system then grants the second DID's public key the defined permissions. To ensure authenticity, the first DID generates a cryptographic signature using its private key, proving that the delegation is authorized. This signature and related delegation data are then propagated onto a distributed ledger, such as a blockchain, to create an immutable record of the permission transfer. This approach enhances security and trust in decentralized identity systems by ensuring that permission delegations are verifiable, tamper-resistant, and transparent. The use of cryptographic signatures and distributed ledger technology prevents unauthorized modifications and provides a reliable audit trail for permission management.
Cooperative Patent Classification codes for this invention. Click any code to explore related patents in that topic.
February 27, 2020
February 1, 2022
Browse 5M+ US patents with plain-English claim translations and AI-generated analysis.